What STIG audit rule picks up type=SOFTWARE_UPDATE events?